Trigger kernel crash during deferred namespace teardown after conntrack helper is unloaded

nat_crash_repro.sh

#!/bin/bash

crash=1

setup()
{
    modprobe nf_conntrack_ftp
    brctl addbr br0
    ip link set dev br0 up

    for num in 1 2; do
        netns=ns${num}
        veth=veth${num}

        ip netns add ${netns}
        ip link add ${veth}-host type veth peer name ${veth}-${netns} netns ${netns}
        ip link set dev ${veth}-host up
        brctl addif br0 ${veth}-host
        ip netns exec ${netns} ip addr add dev ${veth}-${netns} 10.1.1.${num}/24
        ip netns exec ${netns} ip link set dev ${veth}-${netns} up

        ip netns exec ${netns} sysctl -w net.netfilter.nf_conntrack_helper=${crash}
    done
}

run()
{
    ip netns exec ns1 python ~joe/ovs/tests/test-l7.py ftp & echo $! > ftpd.pid
    ip netns exec ns2 wget ftp://10.1.1.1 -4 --no-passive-ftp -t 3 -T 1 \
        -o wget0.log --retry-connrefused -v --server-response --no-proxy \
        --no-remove-listing -d

    sleep 1
    echo
    read -p "Ready to kill"
    kill $(cat ftpd.pid)
}

teardown()
{
    ip link set dev br0 down
    brctl delbr br0

    for num in 1 2; do
        if ip netns exec ns${num} conntrack -L | grep ftp; then
            echo "ns${num} has ftp connections, we're gonna crash!"
        fi
        ip link del veth${num}-host
        ip netns del ns${num}
    done

    conntrack -F

    # Not cleaning up conntrack in ns1/ns2; crash races with deletion above
    modprobe -r nf_conntrack_ftp
}

setup
run
teardown